2015: A Relatively New Penetration Testing Tool to be Aware of in 2015!

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

The Zed Attack Proxy (ZAP) is an easy-to-use, integrated penetration testing tool. It locates vulnerabilities in web applications and helps you build secure apps. Designed for use by people with a wide range of security experience, it’s also suited for developers and functional testers who are new to penetration testing. With its automated scanner and powerful REST API, ZAP fits seamlessly into your continuous integration environment, allowing you to automate the finding of common issues while you’re still in development.

ZAP’S FUNCTIONALITY

  • Intercepting proxy
  • Traditional and AJAX spiders
  • Active scanner
  • Passive scanner
  • Forced Browsing
  • Open source
  • Cross platform
  • Easy to install
  • Completely free
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Translated into a dozen languages
  • Community-based with involvement actively encouraged
  • Under active development by an international team of volunteers
  • Fuzzer
  • Dynamic SSL certificates Smart card support
  • Web sockets support Authentication and session support Powerful REST based API Support for a wide range of scripting languages
  • Automatic updating option Integrated and growing marketplace of add-ons

A quote from a customer:

“ZAP is the best option for people getting into web security:. Matt Tesauro Product Security Engineering Lead “Rackspace ZAP is unequivocally part of my arsenal, for both assessments and teaching opportunities. It’s a wonderful tool when advocating SDL/SDLC to a room full of developers, and it’s equally effective when ripping through a vulnerable web app.” Russ McRee GIAC+, CISSP HolisticInfoSec.org.

Check it out!

Jock

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s